Facebook Under Fire: From academic botnets to actual data police

Creating a fake Facebook account has always been a violation of Facebook’s terms and conditions so, on the face of it, researchers from the University of British Columbia (UBC) have just racked up a bunch of violations. How? As reported by TechCrunch and PC World, they created a network of about 100 bots that acted like humans, then the researchers pointed the botnet at Facebook and told it to make friends with human users and collect personal data, as described in this paper: The Socialbot Network: When Bots Socialize for Fame and Money.

Before anyone panics, all the fake accounts and harvested data have been destroyed, according to the researchers. What remains frightening is the ease with which the attack was carried out, the degree to which it succeeded, and the vast amount of data (250 gigabytes) that it harvested in a very short period of time, using relatively few resources.

The techniques used in the attack are detailed in the research paper (PDF), which will be presented in December at the 27th Annual Computer Security Applications Conference in Orlando, Florida. But you don't have to be an academic security researcher to imagine what might happen if you substituted "well-funded criminals" for "ethical researchers in academia". Yet it is not clear what is stopping that from happening. The UBC research was, in effect, a test of the Facebook Immune System, which is intended to prevent fake account creation. The researchers found that only 1 in 5 fake profiles were blocked by Facebook. If you have criminal intentions, this is good news. The chances of getting funding for your illegal Facebook scam based on fake accounts just improved. (I can see the UBC study being part of the investor package at VC briefings, where VC = Vice Capital.)

None of which is good news for Facebook, which is currently dealing with an audit in Europe that is intended "to determine whether Facebook has violated Ireland's data protection laws." That doesn't sound like a big deal until you realize that Ireland is where Facebook chose to base its European operations, and Ireland's laws cover a lot of Facebook's non-US members, oh, and the Europeans take their privacy very seriously.

European countries have Data Protection Commissioners and, as the Huffington Post reported last month, the Irish Data Protection Commissioner is looking into Facebook because, when Max Schrems, a 24-year-old law student in Austria, asked Facebook for a copy of all the data pertaining to him that Facebook had collected, he was sent a CD containing more than 1,200 pages (including wall posts, messages, removed friends, pokes, and more). Much of this data was a surprise to Schrems because he thought he had deleted most of that activity. The report from the Data Protection Commissioner should be published by the end of the year.

And just to round out the current privacy and security threat-scape for Facebook, one of the few Internet companies that is larger than Facebook, namely Google, just entered a new phase of scrutiny from the Federal Trade Commission, known as a Consent Order. The first phase comes in two parts. Google must establish and implement, and thereafter maintain, a comprehensive privacy program that is reasonably designed to: address privacy risks related to the development and management of new and existing products and services for consumers; and protect the privacy and confidentiality of covered information. And it can't be any old privacy program: "Such program, the content and implementation of which must be documented in writing, shall contain privacy controls and procedures appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the covered information, including (5 key points follow…all of which are spelled out in the Consent Order listed here).

The second phase of the FTC Consent Order requires Google to obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional…right now and every two years thereafter, for twenty years. Yep, that's 20 years. I'm thinking an order like that would not sit well with Facebook, but the FTC has been asked to look into how Facebook handles privacy and security. (For more on the FTC v. Google matter, check out Andrew Serwin's post on the original announcement.)

Let us know what you think about Facebook security. Do you think Facebook is doing a good job protecting your personal data, or do you stay away from Facebook because of security concerns? And what do think of research like this which violates terrms and conditions in order to prove a point.

I agree with what those researchers did. If I knew how, I'd be doing the same thing. These people need to know where their flaws lie. Not to mention, I also believe that people are too leary and too concerned. And you're probably going to throw up since you belong to a security firm after reading my next statement, but I really don't care who gets my info as long as they are not going to distribute it to scammers (which I don't think facebook does intentionally anyway). I'm on maybe 15 or so message boards and I enjoy contact with people who have things in common with me. and I don't consider my name and email address personal information, but rather personal information to me are things like my address, SSN, and the like. I might be a little too lenient since I'm trying to train for life in the server room, but whatever.

David Harley

Katherine, how you feel about your data is, of course, entirely up to you. Hopefully, when you’re in the server room, you’ll bear in mind that you can’t only take your own opinions into account when you’re looking after data that belongs to other people. ;-)